Secure information storage is essential for any system which relies on the credibility of the information to work. For example, in a system where a person has credentials when enable him or her to access different types of information or services, a great deal of resources are devoted to ensuring that the integrity of the credentials is maintained. This has in the past involved centralised secure data storage which the credential issuing authorities can regulate and control. One such system is now described with reference to FIG. 1.
A prior art system 10 for storing and providing access to a user's credentials (or permissions) comprises a central credential management and authorisation centre 12 and a central database 14. The central database 14 stores information concerning all the users who are registered with the central credential management and authorisation centre 12. In the present illustration there are three users, Mr A, Mr B and Mr C. Each user has its own set of credentials which are stored at dedicated location sites 16, 18, 20 within the central database 14.
The central credential management and authorisation centre 12 and the central database 14 are owned by the credential issuing authority 22 which in this illustration is labelled CR1. The credential issuing authority 22 can maintain the security of the credentials it has issued because it controls their storage, updating, revocation and also proxying (when one credential is temporarily assigned to another user).
The CR1 credential issuing authority 22 is connected in this illustration to the Internet 24 (though in practice this could be an communications medium). This allows the users (Mr A Mr B and Mr C) to access the site from their respective web browsers 26,28,30. Furthermore, an information site 32 can also access the credentials stored at the credential issuing authority 22 as is described below in the following example.
When Mr A wishes to access a service from the information site 32 via his web browser 26, Mr A requests the service and provides information which identifies his credential issuing authority 22. (Typically, this may be realised in credit card details being provided by Mr A to the information site which needs to check his credit limit from the credit card issuing authority.) The information site 32 then requests Mr A's credentials from the credential issuing authority 22. Mr A's credentials 16 are retrieved from the central database 14 by the central credential management and authorisation centre 12 and forwarded to the information site 32. If Mr A's credentials are sufficient to allow access the requested services, the information site 32 supplies them to Mr A.
Supplying credentials in this way is secure and appears to be relatively straightforward for the single enquiry case. However, in practice the database 16 typically stores the credentials of hundreds of thousands of users. This gives rise to a problem that as the number of users increases, access time increases slowing down the operation of the system 10. This time delay is an inherent problem associated with a centrally provided resource but has been accepted up to now by users and authorities alike because of the ease with which the security issues of the credentials can be handled.
Another difficulty is that the central database will need to update its information at regular intervals and, during this downtime, it is generally not possible for any third party to access information within the database 16, even if that information is itself not being updated. Also, if Mr A wishes to proxy some of his credentials to Mr B then Mr A can only make a request which will hopefully be actioned by the credential issuing authority 22 at its next update. The difficulty is that Mr A can only indirectly carry out the proxy because he is relying on the credential issuing authority 22 to make the necessary changes to his and Mr B's credentials 18 stored in the database 14.
Furthermore, if Mr A wishes to assign his credentials to another person who is not registered with the credential issuing authority 22, but with another credential issuing authority 34 (CR 2) then this may simply not be possible as CR1 may consider such an external proxy to be a loss of control over their credentials. If it is possible, then the procedure for updating the other person can be very complicated and time consuming. Also the revocation or updating of the credentials proxied to people registered with other authorities 34 becomes complicated and slow to implement.